Bug 734123 - SELinux is preventing /usr/bin/virsh from read access on the chr_file /dev/random
Summary: SELinux is preventing /usr/bin/virsh from read access on the chr_file /dev/r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-29 14:00 UTC by Milos Malik
Modified: 2012-10-15 14:47 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.7.19-109.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:17:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Milos Malik 2011-08-29 14:00:00 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-108.el6.noarch
selinux-policy-minimum-3.7.19-108.el6.noarch
selinux-policy-3.7.19-108.el6.noarch
selinux-policy-doc-3.7.19-108.el6.noarch
selinux-policy-targeted-3.7.19-108.el6.noarch

How reproducible:
I don't know, it appeared in audit.log in my virtual machine

Steps to Reproduce:
1.
2.
3.
  
Actual results:
----
time->Mon Aug 29 15:36:20 2011
type=PATH msg=audit(1314624980.302:510): item=0 name="/dev/random" inode=3758 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:08 obj=system_u:object_r:random_device_t:s0
type=CWD msg=audit(1314624980.302:510):  cwd="/"
type=SYSCALL msg=audit(1314624980.302:510): arch=40000003 syscall=33 success=no exit=-13 a0=6db692c a1=4 a2=6dc3ff4 a3=1 items=1 ppid=18030 pid=18031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1314624980.302:510): avc:  denied  { read } for  pid=18031 comm="virsh" name="random" dev=devtmpfs ino=3758 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----

Expected results:
* no AVCs

Comment 1 Milos Malik 2011-08-29 14:06:31 UTC
I'm able to reproduce it. It appears during each reboot when services are being shut down. Here is the relevant part of /var/log/messages:

Aug 29 16:00:03 rhel62 NetworkManager[1203]: <error> [1314626403.149683] [nm-man
ager.c:1360] user_proxy_init(): could not init user settings proxy: (3) Could no
t get owner of name 'org.freedesktop.NetworkManagerUserSettings': no such name
Aug 29 16:00:03 rhel62 init: tty (/dev/tty2) main process (1730) killed by TERM 
signal
Aug 29 16:00:03 rhel62 init: tty (/dev/tty3) main process (1732) killed by TERM 
signal
Aug 29 16:00:03 rhel62 init: tty (/dev/tty4) main process (1734) killed by TERM 
signal
Aug 29 16:00:03 rhel62 init: tty (/dev/tty5) main process (1736) killed by TERM 
signal
Aug 29 16:00:03 rhel62 init: tty (/dev/tty6) main process (1738) killed by TERM 
signal
Aug 29 16:00:04 rhel62 abrt[4629]: saved core dump of pid 4628 (/usr/bin/virsh) 
to /var/spool/abrt/ccpp-2011-08-29-16:00:03-4628.new/coredump (1142784 bytes)
Aug 29 16:00:04 rhel62 abrtd: Directory 'ccpp-2011-08-29-16:00:03-4628' creation
 detected
Aug 29 16:00:04 rhel62 avahi-daemon[1215]: Got SIGTERM, quitting.
Aug 29 16:00:04 rhel62 avahi-daemon[1215]: Leaving mDNS multicast group on inter
face virbr0.IPv4 with address 192.168.122.1.
Aug 29 16:00:04 rhel62 avahi-daemon[1215]: Leaving mDNS multicast group on inter
face eth0.IPv4 with address 192.168.100.186.
Aug 29 16:00:04 rhel62 setroubleshoot: SELinux is preventing /usr/bin/virsh from
 read access on the chr_file /dev/random. For complete SELinux messages. run sea
lert -l 1838f8f2-23d6-4e93-82fc-3c6c548dfd4b
Aug 29 16:00:04 rhel62 abrtd: Package 'libvirt-client' isn't signed with proper 
key
Aug 29 16:00:04 rhel62 abrtd: Corrupted or bad dump /var/spool/abrt/ccpp-2011-08
-29-16:00:03-4628 (res:2), deleting
Aug 29 16:00:05 rhel62 qpidd[1502]: 2011-08-29 16:00:05 notice Shut down
Aug 29 16:00:05 rhel62 abrtd: Got signal 15, exiting
Aug 29 16:00:06 rhel62 acpid: exiting
Aug 29 16:00:07 rhel62 ntpd[4414]: ntpd exiting on signal 15
Aug 29 16:00:07 rhel62 NetworkManager[1203]: <info> caught signal 15, shutting d
own normally.
Aug 29 16:00:07 rhel62 NetworkManager[1203]: <info> exiting (success)
Aug 29 16:00:07 rhel62 console-kit-daemon[1753]: WARNING: no sender#012
Aug 29 16:00:07 rhel62 init: Disconnected from system bus
Aug 29 16:00:08 rhel62 rpcbind: rpcbind terminating on signal. Restart with "rpc
bind -w"
Aug 29 16:00:08 rhel62 auditd[1856]: The audit daemon is exiting.
Aug 29 16:00:08 rhel62 kernel: type=1305 audit(1314626408.227:24539): audit_pid=
0 old=1856 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res
=1
Aug 29 16:00:08 rhel62 kernel: type=1305 audit(1314626408.368:24540): auid=42949
67295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 op="remove rule" key=(
null) list=4 res=1
Aug 29 16:00:08 rhel62 kernel: type=1305 audit(1314626408.388:24541): audit_enab
led=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 
res=1
Aug 29 16:00:08 rhel62 kernel: Kernel logging (proc) stopped.
Aug 29 16:00:08 rhel62 rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1086" x-info="http://www.rsyslog.com"] exiting on signal 15.

Comment 2 Daniel Walsh 2011-08-29 16:24:30 UTC
Miroslav lets add this.  I just added it to F16.

Comment 3 Miroslav Grepl 2011-08-31 19:54:25 UTC
Fixed in selinux-policy-3.7.19-109.el6

Comment 6 errata-xmlrpc 2011-12-06 10:17:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.